Wednesday, February 25, 2015

For over one year, from from December 2012 through January 2013, a hospital employee in
East Texas stole patients' identities with the intent to use them for person gain. He has been sentenced to eighteen months in federal prison for criminal HIPAA violations.

While to date prosecutors around the country have lodged few cases asserting criminal violations of HIPAA, attorneys say the health care industry's shift to electronic medical records (EHR) will present more opportunities for unauthorized access to protected health data (PHI) that will prompt more criminal actions in the years ahead.

"The conviction of a corporate entity [for HIPAA criminal charges] is certainly allowable and supported by the criminal penalties in the statute." - James M. Jacobson, partner, Nutter McClellen & Fish

Although criminal prosecutions are expected to continue to focus on individual bad actors, attorney James M. Jacobson said it was not unreasonable to expect some corporate convictions in the next few years that center on “corporate policy or procedures being so lax or nonexistent that ultimately they enabled the rogue employee to act.” Organizations seeking to proactively detect data privacy breaches by employees and contractors can utilize low-cost on-demand SaaS analytics servcies.